Thursday, August 30, 2012

General interpretation of personal information

There has been various definitions about what should be included in interpetation of personal information. Here I have presented four different definitions: the definition od the Data protection Directive; Business dictionary's definition; definition, which Kang presented in his article “Information Privacy in Cyberspace Transactions” and the European Union Commission’s definition of personal information.

Directive 95/46/EC defines the notion of personal information in Article 2 as “any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”[1] The Directive takes broad approach to the scope of personal information, which therefore should be protected and additionally the Directive predicts extra protection for sensitive information.[2]

Business dictionary defines personal information as “recorded information about an identifiable individual that may include his or her (1) name, address, email address, phone number, (2) race, nationality, ethnicity, origin, color, religious or political beliefs or associations, (3) age, sex, sexual orientation, marital status, family status, (4) identifying number, code, symbol, (5) finger prints, blood type, inherited characteristics, (6) health care history including information on physical/mental disability, (7) educational, financial, criminal, employment history, (8) others' opinion about the individual, and (9) personal views except those about other individuals.[3]

Kang in the article “Information Privacy in Cyberspace Transactions” presented a definition of personal information that has been set out in IITF principles[4]; personal information is “information identifiable to the individual,” and “personal” does not “mean especially sensitive, private or embarrassing” information.[5]  Therefore the important focus is on the relationship between an individual and information – sensitive or completely unimportant – whether or not it is identifiable to a person. The same could be interpreted from Article 2 of the Directive 95/46/EC, since personal information is, as previously mentioned, any information relating to an identified or identifiable person. However, the Directive definition is broader, since an individual can be linked also indirectly.

European Union Commission’s definition of personal information is: “any information relating to an identified or identifiable person ('data subject') who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific factors (physical, physiological, mental, economic, cultural, social).”[6]

According to Kang, there are three ways of relating personal information to an individual. First link is if the information can constitute an authorship connection to the individual. This could apply for information that has been created by an individual on purpose. Secondly, the information is identifiable to the individual if there is a descriptive link between them. Therefore the information can describe some individual’s recognizable feature or also the individual’s actions or behavior. The third way creates ‘instrumental mapping’ connection between information and an individual. This applies for personal information, which includes confidential pieces of information that act as keys to secured functions or processes, such as passwords to login to a network and to use automatic teller machines” and also for personal identity numbers.[7]

On the other hand information, which does not link to an individual and therefore is not identifiable to the individual, is not personal information. Kang described three cases where such link might be missing.[8] First example is information that is not about an ‘individual human being.’ In second example information is about ‘individual human being’ but is anonymized. Kang said that even though such information is about an ‘individual human being’ it is not considered as personal information since it does not constitute any danger to an individual’s privacy.[9] However, the issue is also when is certain information anonymous. The technology develops and information, especially on the Internet is extremely hard to anonymize.[10] Relating this issue Kang raised question of using anonymized personal information of other individuals, for example between a doctor and a patient. If a doctor would talk or write about patient’s health problems anonymizing him, the patient would not have (according to presented rule) a privacy protecting claim.[11] Kang claimed that “privacy involves the control of the flow of personal information in all stages of processing – acquisition, disclosure and use.”[12] Third example, which Kang presented is information related to a group. An individual is not anonymized but the information is not directly linked to an individual, but to the group of which the individual is part of.[13] Kang marked such approach as too formalistic, it is better to be aware of the idea that even legal persons function through their members acts and therefore information concerning such groups necessarily concerns its members as well.[14]


[1] Directive 95/46/EC.
[2] Lipton, J. D. (2010). Mapping online privacy. Northwestern University Law Review, Vol. 104, No. 2, pp. 477-515, p.509.
[3] Business Dictionary. (n.d.). BusinessDictionary.com. Retrieved March 10, 2012, from personal information: http://www.businessdictionary.com/definition/personal-information.html.
[4] IT Law Wiki. (n.d.). Information Infrastructure Task Force. Retrieved March 10, 2012, from http://itlaw.wikia.com/wiki/Information_Infrastructure_Task_Force.
[5] Kang, J. (1998, April). Stanford Law Review. Information Privacy in Cyberspace Transactions, Vol. 50, No. 4, pp. 1193-1294, p.1206.
[6] European Commission. (n.d.). European Commission Glossary. Retrieved March 10, 2012, from European Commission - Data protection: http://ec.europa.eu/justice/data-protection/glossary/index_en.htm.
[7] Kang, 1998, pp. 1207-1208.
[8] Id. p. 1209.
[9] Ibid.
[10] Ibid.
[11] Ibid.
[12] Ibid.
[13] Ibid.
[14] Id. p. 1210.